Equifax and two other consumer credit bureaus, Experian and TransUnion, create the reports used to calculate credit scores, the ubiquitous three-digit numbers that banks, insurers, lenders and employers rely on to make all manner of decisions. Those scores, the algorithmic assessment of a consumer’s entire financial history, help decide whether somebody gets a job or a new home.
The bureaus each have files on roughly 200 million Americans. And consumers have little choice, since banks and other companies hand over financial information and other data directly to the bureaus. The industry has been marred by complaints of mistakes on credits reports and difficulties in fixing them.
The data breach at Equifax, which affected 143 million people, could compound the problems, leaving consumers vulnerable to identify theft. It was the third hacking disclosed by Equifax this year.
“You cannot fire the three credit bureaus,” said Rohit Chopra, a former assistant director at the Consumer Financial Protection Bureau and now a senior fellow at the Consumer Federation of America. “Credit reporting agencies are the plumbing of our financial system but are much less regulated than many banks.”
TransUnion said it was investigating the nature of Equifax’s attack and what, if any, actions might be appropriate. Experian and Equifax did not return calls for comment. Equifax released a statement apologizing to customers for “the concern and frustration this causes.”
The credit bureaus fall into something of a regulatory gray area in Washington.
They are covered by many of the same data security laws that apply to banks. But banks face much stricter oversight, with a team of agencies working together to audit institutions and monitor their compliance. Non-bank companies, like the credit bureaus, generally are scrutinized only after something has gone wrong.
Federal laws require all companies to take reasonable steps to safeguard consumer data. While the Consumer Financial Protection Bureau has some supervisory and enforcement authority over the credit bureaus, the agency generally leaves data privacy enforcement to the main regulator in charge of it, the Federal Trade Commission. And the trade commission lacks the authority to impose big fines.
Last month, the commission punished TaxSlayer, a tax preparation website, for a weak security system that allowed hackers to gain access to nearly 9,000 customer accounts….